microsoft-open-hack-containers-v2
Real Time Lab
This environment may only be started from the Cloud Sandbox

  Environment Logins

To connect to the Microsoft portal, launch a browser in guest or in-private mode using the credentials below.

Display Name User Name Password
Hacker One hacker11df@msftopenhack6855ops.onmicrosoft.com
Hacker Two hacker2u6k@msftopenhack6855ops.onmicrosoft.com
Hacker Three hacker30gz@msftopenhack6855ops.onmicrosoft.com
Hacker Four hacker4lvk@msftopenhack6855ops.onmicrosoft.com
Hacker Five hacker56iw@msftopenhack6855ops.onmicrosoft.com
Hacker Six hacker6uo6@msftopenhack6855ops.onmicrosoft.com

Putting the Pieces Together

Now that your cluster is connected to your production network and has passed the initial scrutiny of your security team, it’s time to further improve your application’s security and open it up to external traffic.

Challenge

Some security concerns were addressed in the previous challenge, but it’s important to continue to keep security in mind for this challenge (and in the real world!).

Security

To improve secret management, you have additional security requirements mandated by your CTO:

  1. Secrets should be secured in an external vault, not on the cluster. This approach prevents values from being accessed directly by any person without permissions or access to the vault itself.
  2. Access to the external key vault should not require a secret stored in the cluster.

Ingress

Although you have multiple services deployed to the cluster, you will want a single endpoint for your customers to reach. To do this, create an ingress controller and configure the ingress rules to route to the appropriate services. The References section contains more information on the paths for the different components.

In order to validate that your application is working as expected, you will need to submit a single endpoint (http://endpoint.you.provide) to a provided simulator. The simulator will start sending traffic to the APIs once you provide your endpoint. It expects to make calls to the APIs by name (http://endpoint.you.provide/api/trips for example). You can see data start to flow through your app via the Trip Viewer application. The simulator is deployed as a container instance in your subscription and you will find the URL for the simulator in the Messages tab of your OpenHack portal.

Desired Architecture

An architecture diagram showing traffic flow into the Kubernetes cluster directed by an ingress controller. External traffic comes into the ingress controller, and from there is redirected based on path. “/api/poi” is directed to the POI service; “/api/trips” to Trips; “api/user” to User; and “api/user-java” to User-Java. The path “/” is directed to the TripViewer (Web) front end. Arrows indicate communication between TripViewer (Web) and the 4 API microservices as well as between the APIs and Azure SQL.
An architecture diagram showing traffic flow into the Kubernetes cluster directed by an ingress controller. External traffic comes into the ingress controller, and from there is redirected based on path. “/api/poi” is directed to the POI service; “/api/trips” to Trips; “api/user” to User; and “api/user-java” to User-Java. The path “/” is directed to the TripViewer (Web) front end. Arrows indicate communication between TripViewer (Web) and the 4 API microservices as well as between the APIs and Azure SQL.

Success Criteria

  • Your team secured your Azure SQL Server connection information such that literal values cannot be inappropriately accessed
  • Your team used an external key vault to store and access secrets inside your cluster, and ensured that access does not require a secret stored in the cluster
  • Your team ensured that all links on the Trip Viewer site are reachable
  • Your team ensured the simulator can successfully update the values in the application across all services

References

API paths reference

API configuration reference

Azure Kubernetes Service (AKS)

Kubernetes

Azure

microsoft-open-hack-containers-v2
Overview

OpenHack

Hello and welcome to OpenHack, a challenge oriented hack event from Microsoft. You will be presented with a series of challenges, each one more difficult than the one before.

You should already be assigned to and seated with a team, with whom you will attempt to solve as many challenges as you can within today’s hack time.

You have been assigned a coach who will be your first point of contact, and is here to support you and answer questions during the hack. They will not, however, solve the challenges for you.

You may notice a resource group called teamResources in your Azure subscription. This resource group contains any pre-provisioned resources referenced in the challenges.

The Premise

You work for Humongous Insurance. One of their products provides customers the opportunity to qualify for lower car insurance rates. Customers can do this by opting in to use Humongous Insurance’s TripInsights app, which collects data about their driving habits. Your team has been assigned to modernize the application and move it to the cloud.

The TripInsights application, once a monolith, has been refactored into a number of microservices:

ApplicationArchitecture.png
ApplicationArchitecture.png
  • Trip Viewer WebApp (.NET Core): Your customers use this web application to review their driving scores and trips. The trips are being simulated against the APIs within the OpenHack environment.
  • Trip API (Go): The mobile application sends the vehicle’s on-board diagnostics (OBD) trip data to this API to be stored.
  • Points of Interest API (.NET Core): This API is used to collect the points of the trip when a hard stop or hard acceleration was detected.
  • User Profile API (NodeJS): This API is used by the application to read the user’s profile information.
  • User API (Java): This API is used by the application to create and modify the users.

The source code of all the microservices is available here.

The Challenges

Each challenge will lead you through a stage of the technical investigation as briefly laid out by your fictional CTO. These investigations become more technically challenging as you progress.

We do not provide guides or instructions to solve the challenges, just a few hints and documentation references that you may find useful. There are multiple ways to solve each challenge, and very likely some we haven’t thought of. We’re interested in seeing your own unique solutions to each problem, and you should absolutely work with your coaches and the OpenHack Team to validate your solution as correct.

One final tip: Read everything very carefully

The OpenHack team have worked hard to ensure each problem is solvable. All the details you should need are within the challenge briefs, which are very carefully written and worded to give you clues toward the solution. Reading them fully is the best way to figure out a solution, as small points can be easily missed. Your coaches will help to fill gaps in your understanding, provided you ask them the right questions.


Messages

In order to chat with your group, please enter a name. Do NOT enter your real name or personal data. Preferably use the name assigned to you, i.e. Hacker One.
The user name should be at least three characters long